CIO Leadership

What Do You Do When The Greatest Threat To Your Security Is One Of You?

We can find ourselves hostage to a person in IT who alone holds access to key programs and data. How do you prevent such a vulnerability, and what do you do if it’s too late? Here are three practical plans to work through.

Scott Smeester

//

November 16, 2023

Photo credit:
Aziz Acharki
The patriots of 1776 had far more to fear from Benedict Arnold than they did King George. An enemy easily identified is much less formidable than one who marches in the uniform of an ally.” Chuck Baldwin

Benedict Arnold was a successful merchant, a victor in duels to defend his reputation, an early hero of the American Revolution, and a builder of one of America’s first naval fleets.

And then.

He became disillusioned with the cause. He watched as five juniors were promoted over him. He became angry at others allegedly taking credit for his own achievements.

He became a turncoat, plotting with British leadership to surrender West Point. It would have been a major blow to American efforts.

Some say he did it out of greed. Others that he was being influenced by his young wife. But it was far more personal than that: disillusionment, disappointment and defensiveness is all that is required for good people to become bad actors.

Some of you have one person who alone holds access to critical programs and data. You are in a dangerous place. An ally can quickly become an adversary. No one is far from a disillusioned place.

As a result, you are being held hostage whether it is recognized or not. The ransom is their continued control, and you pay it every time you are afraid to make a change or are unwilling to confront unhealthy behavior,

What Do You Do When The Hero Among You Could So Easily Betray You?

You find yourself in one of three stages:

  • The threat is possible but not real
  • Time to “head them off at the pass.”
  • You are facing a clear and present danger.

Stage 1: You are still in control - make the possible threat impossible

I hope this is you. I’ve raised an issue, you haven’t thought about this, and you can be proactive and preventative. If so, there are several priorities to put into place.

Implement Access Policies: Establish clear policies regarding access to systems and data. This should include multi-user access controls and an understanding that all passwords and access credentials are company property.

Create a Redundancy Plan: Set up a system where at least two people have access to critical systems. This doesn't mean they have to use this access regularly, but it ensures that someone else can step in if needed.

Introduce Role-based Access Control (RBAC): Implement RBAC where access rights are grouped by role, and access to resources is determined by the roles assigned to individual users. This can help in distributing access among several employees based on their job requirements.

Conduct Regular Audits and Reviews: Regularly review who has access to what. This should be a standard business practice, not something targeted at the specific individual.

Stage 2: You must be very wise - partnership first, power-play second

The first step in this stage is to set up a person as a hero. The focus is not on the individual or lack of trust, but on the weakness of the organization and their ability to contribute meaningfully.

Before I list some practical options, I need you to think with me.

A people problem is rarely a people problem. It is a leadership problem. We have not done our job to connect, to develop, to build mutual trust, to help a person succeed not only at their task, but at life. Everyone comes to work with forces opposed to them, ideas and ways of doing things that are set against them, and with an insecure self.

With that in mind, the following steps have reconnection as a common thread and priority. And reconnection is based on understanding that every person, including a potential bad actor, lives with a desired state and in a current state - they want something and they don’t have it. Leaders get them to where they want to be.

To enlist an employee as a partner, consider doing the following:

Involve Third-Party Experts: You have two approaches; I have been successful in doing both.

One is to involve IT into a greater transformation effort. You put your company or organization, not just one department, through an assessment and growth plan. This levels the playing field, disperses the focus, and allows your IT person to positively affect the business.

The second is to consider hiring an external IT consultant or service to audit your systems and recommend best practices for access and security. This works if the objective is to give your IT person someone who provides value to them, makes future work easier for them, and is someone who would be respected by them because of their credentials. You are partnering with them in areas important to them.

Educate and Train Staff: Educate your staff about the importance of data security and the reasons behind access control policies. This helps in creating a culture of shared responsibility. Enlist your IT employee as a subject matter expert.

Assume the Best: Approach your IT employee in a non-confrontational way, emphasizing the need for these practices as part of standard business growth and risk management. Make it about the business's needs rather than a lack of trust in them.

Document: Ensure that all procedures, access details, and system configurations are well documented. This documentation should be accessible to more than one person but still secure.

Transition Gradually: Start slowly implementing these changes without making drastic immediate changes that might trigger a defensive reaction.

Stage 3: The Showdown

In his book, Necessary Endings, Dr. Henry Cloud talks about the Wise person, the Foolish person and the Evil person. You may object to the titles, but the concept is clear: a wise person responds to feedback you give them; a foolish person requires limits and potential consequences to get them to act in your interest; an evil person will choose to do harm, and you must act to protect yourself and your company.

If a showdown is becoming real (images of High Noon come to mind), you need two dynamics in place.

The first is a contingency plan that may require a temporary IT support plan from an outside provider.

The second is to bring in the lawyers. You cannot violate an employee agreement; but your lawyers will be sure to meet a threat if an employee is considering action that could bring harm to the company.

I believe in people. You need only read me a few times to pick up on that. If Benedict Arnold is in your midst, it is on us to do everything we reasonably can to turn him before he turns on us. And often that means turning to him, paying attention and connecting, disarming the villains of disillusionment, disappointment and defensiveness. The key to answering unmet desires is to meet them.

Sadly, we work with people who are so wounded and dysfunctional that hope for change is of no interest to them at present.

And so we need to make the change.

It’s never about the uniform our colleagues wear, it’s about the alliance that they show.

Alignment Survey

Interested in what CIO Mastermind could do for you?

* Designed for all IT executives and CEOs, CFOs and Board Members

All Article categories

Access Our Library